UNIT6: ATTACKS, MALICIOUS LOGIC AND COUNTERMEASURES

PHISHING
Phishing is a form of online fraud in which hackers attempt to get your private information such
as passwords, credit cards, or bank account data. This is usually done by sending false emails
or messages that appear to be from trusted sources like banks or well-known websites. The
main motive of the attacker behind phishing is to gain confidential information like:

● Password
● Credit card details
● Social security numbers
● Date of birth

The attacker uses this information to further target the user impersonate the user and cause
data theft. The most common type of phishing attack happens through email.
The ways through which Phishing generally occurs. Upon using any of the techniques
mentioned below, the user can lead to Phishing Attacks:

● Clicking on an unknown file or attachment

● Using an open or free wifi hotspot
● Responding to social media requests
● Clicking on unauthenticated links or ads

Types of phishing

● Deceptive phishing
Deceptive phishing is the most common type of phishing. In this case, an attacker attempts to
obtain confidential information from the victims. Attackers use the information to steal money or
to launch other attacks. A fake email from a bank asking you to click a link and verify your
account details is an example of deceptive phishing.

● Whaling
Attackers use social media or company websites to find the names of the organization’s CEO or
other members of senior management. Then they impersonate the person using a similar email
address. Emails may require a money transfer or require the recipient to review documents. A
whaling attack is also known as CEO fraud. Scams involving fake tax returns are an increasingly
common type of whaling.
For example, a hacker mimicked to be the CEO of Snapchat in 2016, releasing payroll
information of employees.

● Spear Phishing
This type of phishing attack uses email but with a specific targeted approach. The attackers use
open-source intelligence (OSINT) to gather information about a particular company through
social media or the company’s website. Then, they make specific individuals from the company
as their target using real names, job roles to make the recipient think the email has arrived from
a known, legitimate source.
For example, the attacker leaked sensitive emails in 2016 as a result of a spear phishing assault
on the Democratic National Committee (DNC).

● Pharming
In a pharming attack, the attackers hack a Domain Name server (DNS). The domain names are
translated into IP addresses with the help of DNS. Whenever a user types a URL in a browser,
the server will redirect the user to a fraud or cloned website that might look exactly the same as
an original or legitimate website.
For example, the attackers hack the DNS to redirect the user from the legitimate banking
website to a fake one.

PASSWORD CRACKING
Password cracking is the process of using an application program to identify an unknown or
forgotten password to a computer or network resource. It can also be used to help a threat actor
obtain unauthorized access to resources.
unauthorized access to resources.
With the information malicious actors gain using password cracking, they can undertake a range
of criminal activities. Those include stealing banking credentials or using the information for
identity theft and fraud.

How do you create a strong password?

1. Be at least 12 characters long.
2. Combine letters and a variety of characters.
3. Avoid reusing a password.
4. Pay attention to password strength indicators
5. Use encryption
6. Take advantage of password creation tools and managers.

What is password cracking?

Password cracking is the process of using an application program to identify an unknown or
forgotten password to a computer or network resource. It can also be used to help a threat actor
obtain unauthorized access to resources.

With the information malicious actors gain using password cracking, they can undertake a range
of criminal activities. Those include stealing banking credentials or using the information for
identity theft and fraud.

A password cracker recovers passwords using various techniques. The process can involve
comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the
password.
How do you create a strong password?
Password crackers can decipher passwords in a matter of days or hours, depending on how
weak or strong the password is. To make a password stronger and more difficult to uncover, a
plaintext password should adhere to the following rules:

● Be at least 12 characters long. The shorter a password is, the easier and faster it will be
cracked.
● Combine letters and a variety of characters. Using numbers and special characters, such
as periods and commas, increases the number of possible combinations.
● Avoid reusing a password. If a password is cracked, then a person with malicious intent
could use that same password to easily access other password-protected accounts the
victim owns.
● Pay attention to password strength indicators. Some password-protected systems
include a password strength meter, which is a scale that tells users when they have
created a strong password.
● Avoid easy-to-guess phrases and common passwords. Weak passwords can be a
name, a pet's name or a birthdate -- something personally identifiable. Short and easily
predictable patterns, like 123456, password or qwerty, also are weak passwords.
● Use encryption. Passwords stored in a database should be encrypted.
● Take advantage of password creation tools and managers. Some smartphones will
automatically create long, hard-to-guess passwords. For example, Apple iPhones will
create strong website passwords for users. An iPhone stores the passwords in its
password manager, iCloud Keychain and automatically fills the password into the correct
field so the user doesn't have to remember the complicated password.

What does a password cracking attack look like?

The general process a password cracker follows involves these four steps:

● Steal a password via some nefarious means. That password has likely been encrypted
before being stored using a hash Hashes are mathematical functions that change
arbitrary-length inputs into an encrypted fixed-length output.
● Choose a cracking methodology, such as a brute-force or dictionary attack, and select a
cracking tool.
● Prepare the password hashes for the cracking program. This is done by providing an
input to the hash function to create a hash that can be authenticated.
● Run the cracking tool.
● A password cracker may also be able to identify encrypted passwords. After retrieving
the password from the computer's memory, the program may be able to decrypt it. Or, by
using the same algorithm as the system program, the password cracker creates an
encrypted version of the password that matches the original.

Password cracking techniques

Password crackers use two primary methods to identify correct passwords: brute-force and
dictionary attacks. However, there are plenty of other password cracking methods, including the
following:

● Brute force: This attack runs through combinations of characters of a predetermined

length until it finds the combination that matches the password.
● Dictionary search: Here, a password cracker searches each word in the dictionary for the
correct password. Password dictionaries exist for a variety of topics and combinations of
topics, including politics, movies and music groups.
● Phishing: These attacks are used to gain access to user passwords without the use of a
password cracking tool. Instead, a user is fooled into clicking on an email attachment.
From here, the attachment could install malware or prompt the user to use their email to
sign into a false version of a website, revealing their password.
● Malware: Similar to phishing, using malware is another method of gaining unauthorised
access to passwords without the use of a password cracking tool. Malware such as
keyloggers, which track keystrokes, or screen scrapers, which take screenshots, are
used instead.
● Rainbow attack: This approach involves using different words from the original password
in order to generate other possible passwords. Malicious actors can keep a list called a
rainbow table with them. This list contains leaked and previously cracked passwords,
which will make the overall password cracking method more effective.
● Guessing :An attacker may be able to guess a password without the use of tools. If the
threat actor has enough information about the victim or the victim is using a common
enough password, they may be able to come up with the correct characters.

KEY LOGGERS
Key loggers also known as keystroke loggers, may be defined as the recording of the key
pressed on a system and saved it to a file, and the that file is accessed by the person using this
malware. Key logger can be software or can be hardware.Mainly key-loggers are used to steal
password or confidential details such as bank information etc.
● Software key-loggers : Software key-loggers are the computer programs which are
developed to steal password from the victims computer. However key loggers are used
in IT organizations to troubleshoot technical problems with computers and business
networks. Also Microsoft windows 10 also has key-logger installed in it.

● Hardware Key-loggers : These are not dependent on any software as these are
hardware key-loggers. keyboard hardware is a circuit which is attached in a keyboard
itself that whenever the key of that keyboard pressed it gets recorded.

1. USB keylogger – There are USB connector key-loggers which has to be connected to a
computer and steals the data. Also some circuits are built into a keyboard so no external wire i
used or shows on the keyboard.
2. Smartphone sensors – Some cool android tricks are also used as key loggers such as
android accelerometer sensor which when placed near to the keyboard can sense the vibrations
and the graph then used to convert it to sentences, this technique accuracy is about 80%.

Prevention from key-loggers : These are following below-

● Anti-Key-logger – As the name suggest these are the software which are anti / against
key loggers and main task is to detect key-logger from a computer system.
● Anti-Virus – Many anti-virus software also detect key loggers and delete them from the
computer system. These are software anti-software so these can not get rid from the
hardware key-loggers.
● Automatic form filler – This technique can be used by the user to not fill forms on regular
bases instead use automatic form filler which will give a shield against key-loggers as
keys will not be pressed .
● One-Time-Passwords – Using OTP’s as password may be safe as every time we login
we have to use a new password.
● Patterns or mouse-recognition – On android devices used pattern as a password of
applications and on PC use mouse recognition, mouse program uses mouse gestures
instead of stylus.
● Voice to Text Converter – This software helps to prevent Keylogging which targets a
specific part of our keyboard.

SPYWARE
Spyware is one of the most common threats to internet users. Once installed, it monitors
internet activity, tracks login credentials and spies on sensitive information. The primary goal of
spyware is usually to obtain credit card numbers, banking information and passwords
Spywares perform the function of maliciously tracking a user’s activity, having access to data, or
even resulting in the crashing of the computer/ laptop system. Spyware in many cases runs as a
background process and slows down the normal functioning of the computer system.

Spyware enters the laptop/computer system through the below-listed ways:

● Phishing: It is a form of a security breach where spyware enters the system when a
suspicious link is clicked or an unknown dangerous attachment is downloaded.
● Spoofing: It goes alongside phishing and makes the unauthorized emails appear to
come from legitimate users or business units.
● Free Software or Shared Software: It gets into the system when a user installs software
that is free of cost but has additional spyware added to it.
● Misleading software: This is advertised as very beneficial for the system and boosts the
speed of the system, but it leads to the theft of confidential information from the system.

Types of spyware
Here are some common types:
● Keyloggers: These record keystrokes typed in by the user, and they can record
passwords and other sensitive messages.
 ● Adware: Though not necessarily badware, adware provides advertisements that are not
wanted and tracks your Internet activity to provide relevant advertisements.
● Trojans: These are rogue programs that disguise themselves as genuine applications,
but in reality, they contain spyware that spies on or steals information.
● Tracking Cookies: These are small data files that are created on your browser by the
sites that you visit to keep track of your browsing history and preferences. They can be
useful for advertising purposes since the users of these gateways would prefer only this
kind of content.
● System Monitors: These capture user activity relative to the online mode and use of the
system for other ill intentions.
● Data Harvesters: These are intended for the capture and transfer of messages or data,
which may be in the form of personal identity, log-in data, or even a credit card number,
among others.
● Browser hijackers: These make changes to your browser, like the home page or search
page, and can forward you to sites that contain malware.
● Remote Access Trojans (RATs): These grant the attackers full control of your device
from a distance that they cannot be noticed, and they have access to all files, among
other things.

ADWARE
Adware is software that automatically displays or downloads advertising material (pop up
advertisements), often unwanted, when a user is online. It’s typically used by companies to
generate revenue by showing ads to the user, often within a web browser or during the
installation process of free software.
adware is a type of software that shows unwanted ads on your device. It can sneak into your
system through free downloads, suspicious websites, or email links. While some adware is just
annoying, other types can slow down your device, change your browser settings, and even
threaten your online security.
Adware is all about making money for those who create and spread it. They earn money
through different ways like pay-per-click (PPC), Pay-per-view (PPV) and Pay-per-install (PPI).

Types of Adware
Adware comes in various forms, each with its own method of displaying ads or collecting data.

1. Pop-Up Adware
This is one of the most noticeable types of adware. It creates pop-up advertisements that
suddenly appear while browsing the internet. These ads can be intrusive, blocking the content
you are trying to view or popping up in new tabs or windows, disrupting your online activities.

2. Browser Hijacker Adware

This type of adware takes control of your web browser settings. It can change your homepage,
modify your search engine, or add toolbars without your consent. The aim is often to redirect
your web searches to advertising or malicious websites to generate revenue.
3. Legitimate Adware
Not all adware is tricky or dishonest. Some programs are clear about showing ads because
that’s how they can offer you their service or app for free. Since these programs tell you about
the ads upfront, it’s considered a fairer type of adware. This means you can decide if you want
to keep using the app with the ads.

4. Spyware Adware
This variant not only displays ads but also tracks and collects user data, such as browsing
habits, for targeted advertising or selling information to third parties.

5. Trojan Adware
Trojan adware pretends to be safe and useful software to trick people into downloading it. After
it’s installed, it shows ads and can also do bad things to your computer, like trojan malware
does. It’s very risky because it can cause more problems, like letting other viruses in or stealing
your private information

6. Ad-Injecting Software
Inject ads into web pages in a way that they appear as part of the site itself, often misleading
users about their origin.

7. Mobile Adware
Specifically designed for mobile devices, this type displays ads on smartphones or tablets,
sometimes even when the app itself is not actively used.

RANSOMWARE
Ransomware is a type of malware that holds a victim’s sensitive data or device hostage,
threatening to keep it locked—or worse—unless the victim pays a ransom to the attacker.
One of the most commonly used tactics is phishing. Attackers spread malicious content using
email, social media, advertisements, and website pop-ups, among other methods.

SQL INJECTION
SQL Injection is a security flaw in web applications where attackers insert harmful SQL code
through user inputs. This can allow them to access sensitive data, change database contents or
even take control of the system. It’s important to know about SQL Injection to keep web
applications secure.

SQL Injection Types

There are different types of SQL injection attacks:
1. In-band SQL Injection
It involves sending malicious SQL queries directly through the web application’s interface.
It allows attackers to extract sensitive information or modify the database itself.

2. Error-based SQL Injection

Attackers exploit error messages generated by the web application by analyzing error
messages to gain access to confidential data or modify the database.

3. Blind SQL Injection

Attackers send malicious SQL queries and observe the application’s response.
By analyzing the application’s behavior, attackers can determine the success of the query.

4. Out-of-band SQL Injection

Uses a different channel to communicate with the database.
Allows attackers to exfiltrate sensitive data from the database.

5. Inference-based SQL Injection

Uses statistical inference to gain access to confidential data.
Attackers create queries that return the same result regardless of input values.

Impact of SQL Injection

The hacker can retrieve all the user data present in the database such as user details, credit
card information, and social security numbers, and can also gain access to protected areas like
the administrator portal.
It is also possible to delete user data from the tables.

BUFFER OVERFLOW
A buffer is a temporary area for data storage. When more data (than was originally allocated to
be stored) gets placed by a program or system process, the extra data overflows. It causes
some of that data to leak out into other buffers, which can corrupt or overwrite whatever data
they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that
damages files, changes data or unveils private information.

Common consequences of a buffer overflow attack include the following:

● System crashes: A buffer overflow attack will typically lead to the system crashing. It
may also result in a lack of availability and programs being put into an infinite loop.
● Access control loss: A buffer overflow attack will often involve the use of arbitrary code,
which is often outside the scope of programs’ security policies.
● Further security issues: When a buffer overflow attack results in arbitrary code
execution, the attacker may use it to exploit other vulnerabilities and subvert other
security services.

DOS AND DDOS

A denial-of-service (DoS) attack floods a server with traffic, making a website or resource
unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple
computers or machines to flood a targeted resource. Both types of attacks overload a server or
web application with the goal of interrupting services.
As the server is flooded with more Transmission Control Protocol/User Datagram Protocol
(TCP/UDP) packets than it can process, it may crash, the data may become corrupted, and
resources may be misdirected or even exhausted to the point of paralyzing the system.
Different types of dos and DDoS
● Teardrop attack
A teardrop attack is a DoS attack that sends countless Internet Protocol (IP) data fragments to a
network. When the network tries to recompile the fragments into their original packets, it is
unable to.

● Flooding attack
A flooding attack is a DoS attack that sends multiple connection requests to a server but then
does not respond to complete the handshake.

● IP fragmentation attack
An IP fragmentation attack is a type of DoS attack that delivers altered network packets that the
receiving network cannot reassemble. The network becomes bogged down with bulky
unassembled packets, using up all its resources

● Volumetric attack
A volumetric attack is a type of DDoS attack used to target bandwidth resources. For example,
the attacker uses a botnet to send a high volume of request packets to a network, overwhelming
its bandwidth with Internet Control Message Protocol (ICMP) echo requests. This causes
services to slow down or even cease entirely.

● Protocol attack
A protocol attack is a type of DDoS attack that exploits weaknesses in Layers 3 and 4 of the
OSI model. For example, the attacker may exploit the TCP connection sequence, sending
requests but either not answering as expected or responding with another request using a
spoofed source IP address. Unanswered requests use up the resources of the network until it
becomes unavailable.

DOS vs DDOS
● DOS Stands for Denial of service attack.
● *DDOS Stands for Distributed Denial of service attack.

● In Dos attack a single system targets the victim system.

● In DDoS multiple systems attacks the victims system.

● A victim PC is loaded from the packet of data sent from a single location.
● Victim PC is loaded from the packet of data sent from multiple locations.

● Dos attack is slower as compared to DDoS.

● DDoS attack is faster than Dos Attack.
 ● Can be blocked easily as only one system is used.
● It is difficult to block this attack as multiple devices are sending packets and attacking
from multiple locations.

● .In DOS Attack only a single device is used with DOS Attack tools.
● In DDoS attack, The Volume bot are used to attack at the same time.

● DOS Attacks are Easy to trace.

● DDOS Attacks are Difficult to trace.

● The volume of traffic in the Dos attack is less as compared to DDos.

● DDoS attacks allow the attacker to send massive volumes of traffic to the victim network.

● Types of DOS Attacks are:

1. Buffer overflow attacks
2. Ping of Death or ICMP flood
3. Teardrop Attack
4. Flooding Attack
● Types of DDOS Attacks are:
1. Volumetric Attacks
2. Fragmentation Attack
3. Application Layer Attacks
4. Protocol Attack.

IDS AND IPS

A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a
network or system for malicious activities or policy violations
IDS monitors a network or system for malicious activity and protects a computer network from
unauthorized access from users.

Working of Intrusion Detection System(IDS)

● An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect
any suspicious activity.
● It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
● The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
● If the IDS detects something that matches one of these rules or patterns, it sends an
alert to the system administrator.
● The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

Classification of Intrusion Detection System(IDS)

1. Network Intrusion Detection System (NIDS)
Network intrusion detection systems (NIDSs) monitor inbound and outbound traffic to devices
across the network. NIDS are placed at strategic points in the network, often immediately
behind firewalls at the network perimeter so that they can flag any malicious traffic breaking
through.

2.Host intrusion detection systems (HIDSs) are installed on a specific endpoint, like a laptop,
router, or server. The HIDS only monitors activity on that device, including traffic to and from it. A
HIDS typically works by taking periodic snapshots of critical operating system files and
comparing these snapshots over time. If the HIDS notices a change, such as log files being
edited or configurations being altered, it alerts the security team.

An application protocol-based IDS (APIDS) works at the application layer, monitoring

application-specific protocols. An APIDS is often deployed between a web server and an SQL
database to detect SQL injections.

Benefits of IDS
● Detects Malicious Activity: IDS can detect any suspicious activities and alert the system
administrator before any significant damage is done.
● Improves Network Performance: IDS can identify any performance issues on the
network, which can be addressed to improve network performance.
● Compliance Requirements: IDS can help in meeting compliance requirements by
monitoring network activity and generating reports.
● Provides Insights: IDS generates valuable insights into network traffic, which can be
used to identify any weaknesses and improve network security.

IPS
An Intrusion Prevention System (IPS) is a crucial component of any network security strategy. It
monitors network traffic in real-time, compares it against known attack patterns and signatures,
and blocks any malicious activity or traffic that violates network policies. An IPS is an essential
tool for protecting against known and unknown threats, complying with industry regulations, and
increasing network visibility.

Types of IPS
There are two main types of IPS:

Network-Based IPS: A Network-Based IPS is installed at the network perimeter and monitors
all traffic that enters and exits the network.

Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the traffic that
goes in and out of that host.
How Does an IPS Work?
An IPS works by analyzing network traffic in real-time and comparing it against known attack
patterns and signatures. When the system detects suspicious traffic, it blocks it from entering
the network.

Comparison of IPS with IDS:

The main difference between Intrusion Prevention System (IPS) with Intrusion Detection
Systems (IDS) are:

1. Intrusion prevention systems are placed in-line and are able to actively prevent or block
intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected malicious packets,
resetting a connection or blocking traffic from the offending IP address.
3. IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams,
mitigate TCP sequencing issues and clean up unwanted transport and network layer
options.

Types of Viruses
Here are the list of different types of computer viruses:

1. Boot Sector Virus: Boot sector virus infect the boot sector of storage devices like hard drives
and floppy disks. When an infected device is booted, the virus is loaded into memory, allowing it
to infect other storage devices connected to the computer.

2. Browser Hijacker: The browser hijacker virus modifies browser settings, redirects searches,
and displays unwanted ads. It aims to control user browsing behavior for malicious purposes.

3. Direct Action Virus: Direct action virus attaches itself to executable files and activates
whenever an infected file is executed, spreading to other files in the same directory.

4. Encrypted Virus: An encrypted virus uses encryption techniques to hide its malicious code,
making it difficult to detect by antivirus software and increasing its chances of successful
infection.

5. File Infector Virus: File infectors infect executable files, such as .exe or .dll files, by
embedding their code. Once the infected file is executed, the virus becomes active and can
potentially infect other files.

6. Macro Virus: Macro viruses infect files that contain macros, such as documents or
spreadsheets. When the infected file is opened, the macro virus executes its code, potentially
causing damage.

7. Multipartite Virus: Multipartite virus infects the boot sector of a computer’s hard drive and
executable files, making it difficult to remove.
8. Polymorphic Virus: A polymorphic virus can change its code or signature while maintaining its
malicious function. It creates numerous slightly different copies of itself, making it more
challenging to detect and remove by antivirus software.

9. Resident Virus: A resident virus embeds itself in the computer’s memory and remains active
even after the infected program has finished executing, allowing it to infect other files and
systems.

10. Web Scripting Virus: A web scripting virus exploits vulnerabilities in web scripting languages,
such as JavaScript, to execute malicious code on websites and infect visitors’ devices with
malware or steal their information.